Cybersecurity issues in the healthcare industry have proliferated recently, as was proven last year by major hacks related to Premera Blue Cross, Anthem, and the UCLA Health System. Electronic protected health information (“ePHI”) has significant value in black markets, making it a particularly valuable target for hackers. Many insurers and health systems have begun to take steps to prevent cyberattacks which begs the question: is any organization too small to be hacked?
The reality is an organization’s size may not matter as criminal attacks are now a leading cause of data breaches in healthcare, resulting in reputational harm and civil and criminal penalties imposed by The U.S. Department of Health and Human Services’ Office for Civil Rights and The U.S. Department of Justice.
The HIPAA Security Rule requires appropriate safeguards to ensure the confidentiality, integrity, and security of ePHI, which, for the following areas, may be of particular concern:
Use of Mobile Devices
Mobile devices, such as laptops and smartphones, are not only more likely to get lost or stolen, but are more susceptible to unauthorized viewing and wireless eavesdropping and interception. To mitigate such risk, practices should consider the following:
- Encryption of data on a device and only using devices that can support encryption.
- Avoid transmitting or receiving ePHI wirelessly unless the data is encrypted.
- Having a system in place to report theft or loss to the practice’s information technology (“IT”) personnel so that they may remotely wipe a device.
- Device users taking precaution to ensure that the device is with them at all times and not viewable by unauthorized individuals.
Reliable backup can be used in an emergency and to ensure that a practice’s activities remain uninterrupted by natural disasters like hurricanes and floods and cybersecurity breaches such as ransomware attacks and phishing scams. As such, practices should consider:
- Usage of a cloud-based storage platform or physical backup media such as magnetic tape, CDs, and removable hard drives.
- Ensuring that physical backup media is stored in a secure manner which may mean storage in a remote location.
- Testing reusable backup media to ensure reliability as it can wear out over time.
- Having a data backup and disaster recovery plan in place as required by law.
Business associates (“BAs”) are integral in providing necessary management, administrative, legal, and financial functions. It is crucial that practices have business associate agreements that address:
- BA’s implementation of equivalent safeguards to ensure the security of ePHI created, received, maintained, or transmitted on behalf of the practice.
- A clear and defined method and time frame by which to report any data breaches to the practice to mitigate potential harm.
- The practice approving of any offshore outsourced subcontractors used by the BA that may be more vulnerable to data breaches and cyberattacks.
It is likely that many small and mid-sized practices are lulled into a false sense of security, believing that they are less likely to be susceptible to a cyberattack. A thorough analysis is crucial, however, and allows a practice to address any security gaps and improve upon their policies, procedures and training. With cybersecurity breaches affecting every type of health care organization and ePHI being more valuable than ever, there is no better time for a practice, regardless of size or complexity, to get in front of an emerging and almost inevitable issue.